Squid: denial of service in http digest authentication
CVE-2023-46847

7.5HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 6 Extended Lifecycle Support; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 7.6 Advanced Update Support; Red Hat Enterprise Linux 7.7 Advanced Update Support
Vendor: CVE Published:; 3 November 2023

Summary

Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.

Affected Version(s)

Red Hat Enterprise Linux 6 Extended Lifecycle Support 7:3.4.14-15.el6_10.1

Red Hat Enterprise Linux 6 Extended Lifecycle Support 7:3.1.23-24.el6_10.1

Red Hat Enterprise Linux 7 7:3.5.20-17.el7_9.9

References

https://access.redhat.com/errata/RHSA-2023:6266

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:6267

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:6268

vendor-advisoryx_refsource_REDHAT

EPSS Score

3% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 3, 2023
Vulnerability Reserved
Oct 27, 2023

Collectors

NVD DatabaseMitre Database